Andrew Jaquith's Blog

As I have pointed out previously in these pages, this year, the number of post-PC devices such as tablets, eReaders, and Internet-capable mobile phones, will eclipse PC devices, such as desktops, laptops, and netbooks. I heard a story earlier this week about a CEO who went to a board meeting and felt a little cranky because he was the only person at the meeting who didn’t have an iPad.

The invasion of non-traditional computing devices into the business sphere is a big deal for Security and Risk professionals. It changes the perception of what computing is, and creates what my colleague Jeff Hammond calls “the mess of many.” And when it comes to security, the changes are even more profound. Not only are these devices smaller and more personal, but they are more likely to be lost or stolen. And as your favorite security vendors have been pointing out, they just might be riskier too.

At Forrester we have a slightly different take than the security vendors. Post-PC devices aren’t like general-purpose PCs. They don’t run general-purpose operating systems, and they have distinct security characteristics that make them more risky in some ways, but less risky in other ways.

Categories:

This morning, HP announced it was buying ArcSight for $1.5 billion, at a 70% market value premium compared to its value a month ago.

My colleague John Kindervag will probably be blogging on this acquisition in more detail, so I won’t steal his thunder. That said, I do have a few quick observations about the deal. The ArcSight acquisition should be seen against the broader tableau of the consolidation wave we have seen over the past two quarters:

That is about $10.1 billion in deal-making. All of these deals have a common theme: the acquisition targets are all leaders in their respective markets. That is because we are at the point in the market cycle where the larger potential acquirers have enough cash in the bank to buy top-shelf companies. There is not a lot of bottom-fishing going on. Why have catfish when you can have caviar?

Because the balance sheets of big potential acquirers like Symantec, Microsoft, IBM, Oracle et al are relatively healthy, we will likely continue to see additional M&A activity through the end of the next year and into Q1 2011.

This morning Intel announced plans to buy security vendor McAfee for $7.7 billion, valuing the company at a 60% premium over their market cap as of closing-time yesterday. The valuation is about 5 times the last trailing four quarters’ revenues, which is about typical for M&A deals in the security industry, and it suggests that both parties negotiated well. The price is not so high that it makes Intel look like Daddy Warbucks, but not so low that it looks like McAfee was desperate to sell.

But of course “a not so high price” is all relative. Nearly $8 billion is a lot of money. What on earth does Intel expect to get for all of the money it is spending on McAfee? I’ve been scratching my head over this, and despite McAfee CTO George Kurtz’ helpful blog post, I am still struggling to figure this one out. Let’s look at some of the stated rationales for the deal:

Internet security vendor BitDefender recently published the results of a study that found, unsurprisingly, that “75 percent of social networking username and password samples collected online were identical to those used for email accounts.” The SecurityWeek story reporting on the BitDefender study also noted that the report “advised users to be extra careful while creating passwords for social networking and email accounts and avoid using the same password just for the sake of convenience.”

The key word here is convenience. From the perspective of most consumers (and many enterprise employees), re-using the same password produces the most economic utility. This is the “Poor Man’s Single Sign-On” strategy (PM-SSO). It costs nothing to implement, requires the user to learn no new technologies or change habits, and is a relatively error-free operation. Moreover, the downside risks are low. With respect to identity theft, for example, most credit card issuers will refund your money if they determine your identity was stolen online. So speaking rationally, why wouldn’t you do this instead of fooling around with CardSpace, Norton Identity Safe, OAuth, OpenID, Facebook Connect or any number of enterprise SSO tools? Exactly.

Of course, from the security practitioner’s viewpoint, this is a rotten idea. It is insecure! It exposes you to risks! And it places you at the mercy of identity thieves, scammers and those nasty people that BitDefender (not to mention Mr. McAfee and Mr. Norton) has been talking about for years. Plus it is just not the right thing to do! ...somehow.

Categories:

Research In Motion has been in the news a lot over the last few days. Last week, the news broke that the governments of the United Arab Emirates and India threatened to suspend service to RIM customers in their countries because of alleged threats to national security. I was quoted in today’s USA Today about this unfolding story.

But let us be clear: the “security problem” that officials in these governments were citing had nothing to do with actual security. As we have written about extensively, the BlackBerry device is well-designed from a security perspective. Its cryptography modules are FIPs-certified, and all of its communications are encrypted using industry-standard algorithms. We have called the BlackBerry the “gold standard” of secure corporate devices and continue to stand by that assessment.

Categories:

Greetings. Here at Forrester, we are encouraged to think Deep Thoughts about Matters of Great Importance. Looking across the broader landscape of IT — of which security and risk is just a small part — we can see that one of the biggest and more important matters today is the influx of consumer-grade mobile gear into the workplace. Whether you call it Tech Populism (a favorite Forrester term) or Executive Bling (a favorite term of mine), it is no secret that enterprise CIOs are receiving lots of pressure to support unsanctioned devices like the iPhone and iPad in the workplace.

Today, Forrester published my report “Apple’s iPhone And iPad: Secure Enough For Business?” In it, we describe how the capabilities of Apple’s iOS 4 make these devices secure enough for many businesses to use safely. We define seven security policies every enterprise should implement to keep its email and corporate information safe on Apple mobile devices, whether or not the enterprise owns them. We also define additional security "high-water marks" — policies and processes you can implement — based on your risk profile and regulatory exposure. I hope you’ll read the report, and I welcome your comments and questions.

Categories:

Greetings everyone. My name is Andrew Jaquith, and I serve security and risk professionals. Normally I blog over on the S&R analyst team blog. But because Forrester has been receiving so many inquiries about the security of iPhone and iPad devices, I thought it would make sense to let you know that my new report, “Apple’s iPhone And iPad: Secure Enough For Business?” is now live on the Forrester website and available to Forrester subscribers.

Apple’s iPhone and the iPad have become increasingly popular. In 2007, IT dismissed the iPhone as insecure and unsuitable for enterprises. Three years later, the iPhone (and iPad) gives enterprises enough security options to enable them to say “yes” instead of “no.” In this report, Forrester defines seven security policies every enterprise should implement to keep its email and corporate information safe on Apple mobile devices, whether or not the enterprise owns them. We also define additional security “high-water marks” — policies and processes you can implement — based on your risk profile and regulatory exposure. Finally, we acknowledge that while most enterprises can use Apple mobile devices securely, some require higher levels of authentication assurance, resistance to attack, manageability, and logging than the iPad or iPhone can provide. For these customers, Research In Motion’s BlackBerry still rules the roost.

“Citi said its iPhone app accidentally saved information—including account numbers, bill payments and security access codes—in a hidden file on users’ iPhones. The information may also have been saved to a user’s computer if it had been synched with an iPhone. The issue affected the approximately 117,600 customers who had registered the iPhone app with Citi since its launch in March 2009, a person familiar with the matter said. The bank doesn’t believe any personal data was exposed by the flaw.”

Forrester customers who are also Citi banking or credit card customers should immediately update their iPhone app. They should also change their account password if their phones have been stolen or lost.

I have not spoken to Citi about this matter, and I do not have inside knowledge about the nature of the vulnerability. However, it stands to reason that:

Categories:

ComputerWorld columnist Roger Grimes recently blogged about “Security Rule No. 1: Assume You’re Hacked.” Roger, in turn, was reacting to a Forbes magazine article written by Richard Stiennon that made the same point. Both posts describe steps IT security and risk professionals should take, assuming their company computers have already been compromised.

These are well-written articles, and I recommend you read them. Here is Forrester’s take on this important issue. In short, I view accepting the inevitability of compromise as the first step in a broader risk management journey. It might seem a little odd to suggest that compromises (risks that have become tangibly expressed as threats, and successfully carried out) might have some relationship to risk management, but allow me to explain.

First, some background. In Roger’s column, he notes that every company he works with these days is compromised. The advice he gives on how to prevent compromise is generally very good:

Earlier this week, Forrester Research published my Market Overview: Enterprise Rights Management report. Brian Hill and I examined eight vendors in the enterprise rights management (ERM) space: Adobe, Microsoft, GigaTrust, Liquid Machines, NextLabs, Oracle, EMC, and Covertix. We found that the space is evolving to become less of a standalone market. From the report:

Because ERM allows data to protect itself via encryption, it is theoretically the perfect security technology for a world where the “dissolving perimeter” is an established fact. But historically, most enterprises don’t use ERM on an enterprisewide basis and do not use it to protect documents shared outside company boundaries. High cost, application rigidity, and integration shortcomings have limited market adoption. Forrester expects that ERM’s appeal will widen in the future. Integration with data leak prevention technology, content management infrastructure, and other risk mitigation solutions will drive adoption growth, particularly as enterprises roll out the latest versions of Microsoft Exchange and SharePoint.